WannaCry Ransomware: Digital example of a perfect storm

WannaCry (also known as Wana Decrypt0r 2.0, Wannacryptor, WannaCrypt, wana Decryptor) ransomware disrupts 2-3 millions of devices around 150 countries, taking important files as a hostage and demanding a ransom of $600 worth of bitcoins. The ransomware is found to be using the old SMB vulnerability (MS17-010 released in April 2017) to spread across devices. There was no second doubt that crooks would find a way to weaponize the leaked NSA tool back in April 2017.

When NSA tool was leaked by a mysterious group calling themselves Shadow Broker, Microsoft had provided a patch (MS17-010) for the affected operating systems. But organizations running older, unsupported versions of Windows (such as Windows XP) were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows.

How does it work?

Most ransomware is spread through vulnerabilities, hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks. WannaCry is using the already available and publicly exposed NSA tool, which exploits MS17-010 vulnerability to deliver the ransomware to vulnerable devices around the globe.

Once the ransomware executes, it encrypts documents which include important files, images, pdf files, word documents, and delivers a ransom note in the form of a README file (@Please_Read_Me@.txt). It also changes the victim’s wallpaper to a message demanding payment to return the files.

Below is a screenshot of the ransom note (@Please_Read_Me@.txt).

Indicators of Compromise:
The ransomware creates the below files in the directory it is executed from.

In addition to encrypting files, it also drops two executable taskdl.exe and taskse.exe. @WannaDecryptor@.exe will help in getting back the files by providing info on payments. Click here to see what @WannaDecryptor@.exe has to show.File Extentions: “wnry”, “wncry”, “wcry’.
Also, a registry entry will be added upon execution i.e.,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WannaDecrypt0r\wd

Who is affected?

This is big, the impact is biggest ever in ransomware history, around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages. Ambulances are being rerouted. Millions of devices around 150 countries are hit by the digital storm, which includes United Kingdom Hospitals, Russian banks, German national railway, Spain’s Telefonica, Mobile companies like MTS, Megaphone, FedEx, and users across countries. Recent victims also include Andhra Police computers in India.

Below is a screenshot of WannaCry affected countries.

ImageSource: thehackernews

What makes WannaCry so special?

The main reason why the ransomware is spreading wildly is because of its capability to penetrate through unpatched devices using SMBv1 protocol. The usage of MS17-010 known as ETERNALBLUE exploit is used as a weapon to target the unpatched windows older operating systems. Though the ransomware has clear IoC’s and is easy to debug, this ransomware stands aside as a giant because of the capability it carries.

Even if one system in an organization is exposed to this attack, the MS17-010 exploit would go on to infect all other systems within the organization within minutes.

Since the targeted systems were those with SMB vulnerability, Microsoft has released an emergency patch for its unsupported versions Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. Organizations which are still using these unsupported versions are highly exploitable.

A British researcher known as “MalwareTech”, came up with an idea of ‘kill switch’. In this case, the ransomware tries to contact a domain. If the domain name were active, the malware would assume it was a false positive. WannaCry was designed to shutting itself down when it finds the domain as active. Since only a single domain name was hardcoded into the ransomware meant that registering that domain name had the effect of shutting down WannaCry thus slowing down the infection rate.

The infection rate has reduced. Kill switch is just a band-aid, not a solution.

Moreover,"The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack," Microsoft says.

Saner in Action:

Below is a screenshot of WannaCry Detection by Saner.

WannaCry indicators can be seen in the screenshot below.

It has been confirmed that three bitcoin address associated with WannaCry, as of 14th May have had a total of 103 confirmed payments. These bitcoin accounts have received a whopping 15 bitcoins approx.

If you don’t want to end up crying over WannaCry, trust SecPod Saner updates and patch this emergency patch by applying security updates. Download Saner now and keep your systems updated and secure.